Effective: August 29, 2021
Terrastruct uses industry best-practices to protect your data. We are in the process of getting a SOC2 certification. If you have a security vulnerability to report, we pay for responsible disclosures.
Terrastruct’s responsible disclosure and bug bounty program is focused on protecting our users’ private data, accounts, and diagrams.
The scope for Terrastruct’s program includes most of our assets—if it’s not explicitly out-of-scope, and has meaningful security impact, it’s fair game. This includes all subdomains of Terrastruct.com.
To be eligible to participate in Terrastruct’s bug bounty program we ask that all researchers act in good faith, which means:
- Don’t try to access other users’ accounts or data — respect their privacy.
- Don’t publicly disclose a vulnerability without Terrastruct’s explicit consent.
- Don’t discuss vulnerability details with anyone other than Terrastruct staff before we can patch the vulnerability.
- Don’t leverage internal access to continue testing. For example, if you have gained remote command execution on a server do not use that access to start scanning or exploring our internal systems. We will assess what, if anything, you could pivot to from your initial report and assess the impact based on that, even if you don’t identify the possibility yourself.
- Don’t upload rootkits, malware, or otherwise go beyond what is necessary to prove a vulnerability exists.
- Don’t leave systems in a more vulnerable state.
- Don’t take any action that could impact the performance or availability of Terrastruct.
- Don’t make copies of Terrastruct’s private production data as “proof”. The report should suffice as proof of impact.
- Be respectful of our team.
- Failure to follow these rules will result in your reports being ineligible for bounty awards.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Eligibility to Participate
Must abide by Terrastruct’s User Agreement if testing with a Terrastruct account. Terrastruct employees, contractors who are currently working with Terrastruct, or have worked with Terrastruct in the previous 6 months, or immediate family members of either are not eligible for bug bounties.
Reports are expected to be thorough and contain enough information that Terrastruct’s security team can easily duplicate any findings. If specially crafted files are required they should be submitted as attachments. Screenshots and videos are encouraged. Submissions should not consist solely of a video.
Reports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.
To be eligible for a bounty
- The reported vulnerability should be a bug that compromises integrity of user data, bypasses privacy protections or enables unauthorised access. Other types of bugs are not eligible.
- Reporter should be the first to disclose the vulnerability.
These are guidelines and may be adjusted by Terrastruct at our own discretion. Note that mitigating factors such as rate limiting (if applicable), the limitations on what may be accessed and the sensitivity of the exposed data will be taken into account when determining bounties.
- Attacks requiring physical access to, root privileges on, or MITM of a user’s device.
- Account Oracles - the ability to determine if an email address or username is in use.
- Attacks targeting outdated browsers or browsers other than Firefox, Chrome, or Safari.
- Insecure cookie settings / flags on non-login cookies.
- Missing HTTP security headers (CSP, HSTS, etc.).
- Weak SSL/TLS/SSH algorithms or protocols.
- Lack of certificate pinning (improper certificate validation still eligible)
- CSRF/CRLF with no security impact (unauthenticated/logout/login CSRF).
- Best practices violations (password complexity, expiration, re-use, etc.).
- Clickjacking on pages with no sensitive actions.
- Component version disclosure without accompanying proof of vulnerability.
- Previously known vulnerable libraries without a working Proof of Concept.
- 0-days in open source / vendor products - give us a chance to fix it on our own, if we missed it then it’s fair game.
- Disclosure of internal tracebacks (unless sensitive environment data is also leaked).
- Comma Separated Values (CSV) injection.
- Reflected file download.
- Content spoofing and text injection issues without being able to modify HTML/CSS.
- Re-usage of passwords from public dumps.
- Homograph links.
- Mobile app crashes.
- Tabnabbing / window.origin not being cleared on new tabs or windows
- Deep links for Android missing autoVerify=true due to current Google limitation with AMP (may change in future)
- Clickjacking/cross-frame scripting. Terrastruct intentionally allows the use of iFrames wherever diagram authors want to include their diagrams.
Denial of service attacks:
Not in scope, don’t do it.
In-scope domains (inclusive of all subdomains):
Any SaaS or other service provider not explicitly called out. If you think it’s something owned by Terrastruct, you can send it along - we’ll decide if it’s out-of-scope.
Any information you receive or collect about Terrastruct, Terrastruct’s systems, or any of our users, employees, or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request by emailing us. Please note, not all requests for public disclosure can be approved.
Rights and Licenses
We may modify the Program Terms or cancel the Bug Bounty Program at any time.
By making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.
By making a Submission, you give us the right to use your Submission for any purpose.
Reports must be submitted by email to firstname.lastname@example.org